Search the CWE database for software security weaknesses. Find vulnerability types, descriptions, and remediation guidance.
CWE (Common Weakness Enumeration) is a community-developed catalog of software and hardware security weakness types maintained by MITRE Corporation. Each CWE entry describes a specific class of vulnerability—such as buffer overflow, SQL injection, or improper authentication—with a unique identifier (e.g., CWE-79 for Cross-Site Scripting), technical description, examples, mitigations, and relationships to other weaknesses.
While CVE (Common Vulnerabilities and Exposures) identifies specific vulnerabilities in specific products, CWE classifies the underlying weakness patterns that cause vulnerabilities. A single CWE can be the root cause of thousands of CVEs. Understanding CWEs helps developers write more secure code, security teams prioritize remediation efforts, and organizations build systematic defenses against entire categories of vulnerabilities.
CWE uses a hierarchical structure with multiple abstraction levels:
| Level | Description | Example |
|---|---|---|
| Pillar | Highest abstraction (broad categories) | CWE-664: Improper Control of a Resource |
| Class | A general weakness category | CWE-20: Improper Input Validation |
| Base | A specific weakness type | CWE-89: SQL Injection |
| Variant | A detailed sub-type | CWE-564: SQL Injection: Hibernate |
MITRE CWE Top 25 Most Dangerous Software Weaknesses (2024 selection):
| Rank | CWE | Name | Impact |
|---|---|---|---|
| 1 | CWE-79 | Cross-Site Scripting (XSS) | Code execution in browsers |
| 2 | CWE-787 | Out-of-Bounds Write | Memory corruption, code execution |
| 3 | CWE-89 | SQL Injection | Data breach, data manipulation |
| 4 | CWE-352 | Cross-Site Request Forgery | Unauthorized actions |
| 5 | CWE-22 | Path Traversal | Unauthorized file access |
| 6 | CWE-125 | Out-of-Bounds Read | Information disclosure |
| 7 | CWE-78 | OS Command Injection | System compromise |
| 8 | CWE-416 | Use After Free | Memory corruption |
| 9 | CWE-862 | Missing Authorization | Unauthorized access |
| 10 | CWE-434 | Unrestricted File Upload | Code execution |